[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a client-side proxy/cache

On 4 Mar 2010, at 10:03, Ryan Steele wrote:

Howard Chu wrote:
Ryan Steele wrote:
Hey folks,

In order to provide stability to my OpenLDAP clients in the event of a
network outage, I would like to implement some client-side caching.
I've done some research, and have concluded that nscd is evil and
should be avoided at all costs,

It's not necesarily evil, it just doesn't work...

Damn straight it doesn't work. I end up shooting it in the face wherever I can. For some reason, SLES seems to be particularly good at breaking things, IME. Debian/Ubuntu and RHEL/CentOS seem to be more forgiving - slightly.

Anyway - I've also been hacking out a caching proxy config for our enterprise directory, so for what it's worth, this is it. It's by no means optimised - so feel free to hack it to pieces.

I've omitted the access controls and ssf constraints, since that's not going to be useful for all setups.

moduleload back_hdb.la
moduleload back_ldap.la
moduleload pcache.la

database        ldap
suffix          "dc=llnw,dc=com"
uri             "ldap://ldap.llnw.com"
tls             start tls_cacert=/etc/ssl/certs/cacert.org.pem tls_reqcert=demand
rootdn          "cn=admin,dc=llnw,dc=com"
rootpw         <secret squirrel stuff>
network-timeout 10
idle-timeout    30

overlay pcache
pcache hdb 10000 1 1000 100
pcacheAttrset 0 cn uid llnwUnixUsername uidNumber gidNumber member memberUid homeDirectory loginShell 
pcacheTemplate (&(objectClass=)(llnwUnixUsername=)) 0 3600
pcacheTemplate (&(objectClass=)(cn=)) 0 3600
pcacheTemplate (&(objectClass=)(gidNumber=)) 0 3600
pcacheTemplate (objectClass=) 0 3600
pcacheTemplate (&(objectClass=)(|(member=)(memberUid=))) 0 3600
pcacheTemplate (&(objectClass=)(member=)) 0 3600
pcacheTemplate (&(objectClass=)(memberUid=)) 0 3600
pcacheBind (&(objectClass=posixAccount)(llnwUnixUsername=)) 0 1800 sub dc=llnw,dc=com
pcachePersist TRUE
pcacheOffline FALSE
cachesize 1000
pcachePosition head
directory /var/lib/ldap

[This gets set up to listen only to the ldapi:/// URI, and nslcd.conf has a "uri ldapi:///" line in its config]

Our internal schema has uid set to <name>@llnw,com, so that won't do as a login name - we have an internal attribute llnwUnixUsername which does the same thing. You might well want to substitute uid where that exists.

And while nssov is really cute, since it exists in the same process space as slapd, it doesn't end up triggering the pcache, which does gets fired upon incoming LDAP requests from an external process (nslcd). It's probably that I just suck, and didn't configure slapd quite right, but that's why I ended up still using nslcd and slapd on the same box.

On the plus side, this works quite well for laptop configurations which have partial connectivity. Mind you, when I mentioned having enterprise credentialing on personal laptops to my colleagues, the response was ... less than enthusiastic.

Anyway - hope this helps.



Systems Architect

(602) 850-5783 work
+44 7976 616583 mobile
+1 (602) 535-6914 US mobile

Attachment: smime.p7s
Description: S/MIME cryptographic signature